b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      The Internal Revenue Service Is Not\n                    Adequately Protecting Taxpayer Data on\n                     Laptop Computers and Other Portable\n                           Electronic Media Devices\n\n\n\n                                          March 23, 2007\n\n                              Reference Number: 2007-20-048\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 23, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Internal Revenue Service Is Not Adequately\n                             Protecting Taxpayer Data on Laptop Computers and Other Portable\n                             Electronic Media Devices (Audit # 200620001)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service (IRS) is adequately protecting sensitive data on laptop computers and portable electronic\n media devices. The audit focused on the security of laptop computers and the encryption of\n sensitive data maintained on laptop computers. We also evaluated the storage methods for\n backup tapes at non-IRS offsite facilities.\n\n Impact on the Taxpayer\n The IRS annually processes more than 220 million tax returns containing personal financial\n information and personally identifiable information such as Social Security Numbers. We found\n hundreds of IRS laptop computers and other computer devices had been lost or stolen,\n employees were not properly encrypting data on the computer devices, and password controls\n over laptop computers were not adequate. As a result, it is likely that sensitive data for a\n significant number of taxpayers have been unnecessarily exposed to potential identity theft\n and/or other fraudulent schemes.\n\n Synopsis\n IRS employees reported the loss or theft of at least 490 computers between January 2, 2003, and\n June 13, 2006. No organization is impervious to theft or loss of computers, especially an\n organization as large as the IRS with approximately 100,000 employees. Many incidents cannot\n be prevented, but employees can reduce the risk by taking precautions. For example, because a\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\nlarge number of laptop computers were stolen from vehicles and employees\xe2\x80\x99 residences,\nemployees may not have secured their laptop computers in the trunks of their vehicles or locked\ntheir laptop computers at home. Further, because 111 incidents occurred within IRS facilities,\nemployees were likely not storing their laptop computers in lockable cabinets while the\nemployees were away from the office.\nIRS procedures require employees to report lost or stolen computers to the IRS Computer\nSecurity Incident Response Center (CSIRC) and to the Treasury Inspector General for Tax\nAdministration (TIGTA) Office of Investigations. Employees reported the loss or theft of at\nleast 490 computers and other sensitive data in 387 separate incidents. Employees reported\n296 (76 percent) of the incidents to the TIGTA Office of Investigations but not to the CSIRC. In\naddition, employees reported 91 of the incidents to the CSIRC; however, 49 of these were not\nreported to the TIGTA Office of Investigations. Coordination was inadequate between the\nCSIRC and the TIGTA Office of Investigations to identify the full scope of the losses.\nWe found limited definitive information on the lost or stolen computers, such as the number of\ntaxpayers affected, when we conducted our review. However, we conducted a separate test on\n100 laptop computers currently in use by employees and determined 44 laptop computers\ncontained unencrypted sensitive data, including taxpayer data and employee personnel data. As\na result, we believe it is very likely a large number of the lost or stolen IRS computers contained\nsimilar unencrypted data. Employees did not follow encryption procedures because they were\neither unaware of security requirements, did so for their own convenience, or did not know their\nown personal data were considered sensitive. We also found other computer devices, such as\nflash drives, CDs, and DVDs, on which sensitive data were not always encrypted. We reported\nsimilar findings in July 2003, but the IRS had not taken adequate corrective actions.\nIn addition to encryption solutions to protect sensitive data on its laptop computers, the IRS\nrequires controls, such as usernames and passwords, to restrict access to laptop computers.\nHowever, 15 of the 44 laptop computers with unencrypted sensitive data had security\nweaknesses that could be exploited to bypass these security controls. We believe system\nadministrators either incorrectly configured the computers upon deployment or did not correctly\nreset the controls after working on the computers.\nWe also evaluated the security of backup data stored at four offsite facilities. Backup data were\nnot encrypted and adequately protected at the four sites. For example, at one site, non-IRS\nemployees had full access to the storage area and the IRS backup media. Envelopes and boxes\nwith backup media were open and not resealed. At another site, one employee who retired in\nMarch 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006.\nAlso, inventory controls for backup media were inadequate. We attributed these weaknesses to a\nlack of emphasis by management.\n\n\n\n\n                                                                                                  2\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\nRecommendations\nWe recommended the Chief, Mission Assurance and Security Services, refine incident response\nprocedures to ensure sufficient details are gathered regarding taxpayers potentially affected by a\nloss; coordinate with business units to better quantify past incidents; periodically remind\nemployees of their responsibilities for protecting computer devices; consider purchasing\ncomputer cable locks for employees\xe2\x80\x99 laptop computers; and periodically publicize an explanation\nof employees\xe2\x80\x99 responsibilities for preventing the loss of computer equipment and taxpayer data,\nthe penalties for negligence over these responsibilities, and a summary of actual violation\nstatistics and disciplinary actions.\nWe recommended the Chief Information Officer include a reminder about encrypting sensitive\ninformation in the employees\xe2\x80\x99 annual certification of security awareness, including instructions\non using approved encryption software on electronic media devices, such as flash drives; require\nfront-line managers to periodically check their employees\xe2\x80\x99 laptop computers to ensure\nencryption solutions are being used by employees; consider implementing a systemic disk\nencryption solution on laptop computers that does not rely on employees\xe2\x80\x99 discretion as to what\ndata to encrypt; require system administrators to check security configurations when servicing\ncomputers; implement procedures to encrypt backup data sent to non-IRS offsite facilities; and\nensure employees assigned to oversee these facilities conduct an annual inventory validation of\nbackup media and a physical security check of the offsite facility used to store the media.\n\nResponse\nIRS management agreed with all of our findings and most of the recommendations. For\nRecommendations 5 and 7, the IRS offered alternative corrective actions that adequately\naddressed our findings. We concur with the planned corrective action for Recommendation 5\nand encourage the IRS to consider publishing annual statistics on disciplinary penalties. We also\nconcur with the alternative corrective action for Recommendation 7 because implementation of\ndisk encryption no longer requires employee actions to encrypt sensitive data. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix VI.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                3\n\x0c                          The Internal Revenue Service Is Not Adequately Protecting\n                           Taxpayer Data on Laptop Computers and Other Portable\n                                          Electronic Media Devices\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Employees Reported the Loss or Theft of at Least 490 Computers\n          and Other Sensitive Data in 387 Incidents From January 2003\n          to June 2006 ..................................................................................................Page 4\n                    Recommendations 1 and 2: ..............................................Page 6\n\n          Physical Security Was Not Adequate Over Computer Equipment...............Page 7\n                    Recommendations 3 through 5 : ........................................Page 10\n\n          Sensitive Data Were Not Encrypted on Laptop Computers and Other\n          Electronic Media...........................................................................................Page 11\n                    Recommendations 6 through 8:.........................................Page 14\n\n          Access Controls on Laptop Computers Could Be Easily Circumvented......Page 15\n                    Recommendation 9:........................................................Page 17\n\n          Backup Data Were Not Encrypted and Adequately Protected .....................Page 17\n                    Recommendations 10 and 11: ...........................................Page 19\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology.......................Page 21\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 24\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 25\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................Page 26\n          Appendix V \xe2\x80\x93 Office of Management and Budget Memoranda...................Page 27\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 28\n\x0c        The Internal Revenue Service Is Not Adequately Protecting\n         Taxpayer Data on Laptop Computers and Other Portable\n                        Electronic Media Devices\n\n\n\n\n                     Abbreviations\n\nCSIRC          Computer Security Incident Response Center\nIRS            Internal Revenue Service\nTIGTA          Treasury Inspector General for Tax Administration\n\x0c                       The Internal Revenue Service Is Not Adequately Protecting\n                        Taxpayer Data on Laptop Computers and Other Portable\n                                       Electronic Media Devices\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service (IRS) annually processes more than 220 million tax returns\ncontaining personal financial information and personally identifiable information such as Social\nSecurity Numbers. If lost or stolen, taxpayer data can be used for identity theft and/or other\nfraudulent purposes. Identity theft refers to a crime in which someone wrongfully obtains and\nuses another person\xe2\x80\x99s personal data in some way that involves fraud or deception, typically for\nfinancial or economic gain. According to the Federal Bureau of Investigation, identity theft is\none of the fastest growing white collar crimes in the United States. The Department of\nCommerce estimates that more than 50 million identities were compromised in 2005.\nRecently, safeguarding personally identifiable information has received much publicity. For\nexample:\n    \xe2\x80\xa2    In September 2006, the Department of Commerce reported 1,138 lost, stolen, or missing\n         laptop computers since 2001. Of these laptop computers, 249 contained sensitive\n         information that identified individuals.\n    \xe2\x80\xa2    In May 2006, the Department of Veterans Affairs reported a stolen external hard drive.\n         According to an audit performed by the Department of Veterans Affairs Office of\n         Inspector General, the drive contained personal information on approximately\n         26 million veterans and United States military personnel. The data stolen were primarily\n         limited to individuals\xe2\x80\x99 names, dates of birth, and Social Security Numbers.\n    \xe2\x80\xa2    In April 2006, a data storage company announced losing a container of backup tapes that\n         included personal information belonging to as many as 17,000 current and former\n         employees of the Long Island Railroad. The IRS uses the same storage company to store\n         backup data for some Area Offices.1\n    \xe2\x80\xa2    Also in April 2006, the news media reported that flash drives2 previously owned by the\n         Department of Defense were stolen from a military base and sold in an open market in a\n         foreign country. The flash drives contained potentially sensitive military intelligence\n         data, including the names, photographs, and telephone numbers of spies/informants\n         working for the United States military. According to the news media, the documents\n         appeared to be authentic, but the accuracy of the information could not be independently\n         verified.\n\n1\n  Area Offices are located throughout the United States; they serve as the coordination point for and assist the public\nwith tax issues.\n2\n  A flash drive is an external data storage device that plugs into the computer and emulates a small disk drive. It\nallows data to be easily transferred from one computer to another.\n                                                                                                               Page 1\n\x0c                       The Internal Revenue Service Is Not Adequately Protecting\n                        Taxpayer Data on Laptop Computers and Other Portable\n                                       Electronic Media Devices\n\n\n\nMost IRS employees use taxpayer information to carry out their responsibilities within the\nprotection of IRS facilities; however, some employees are allowed to take electronic taxpayer\ndata outside of the office for business purposes. For example, revenue agents may take\nelectronic taxpayer records with them when conducting onsite visits to business taxpayers. In\naddition, as of July 2006, more than 25,000 IRS employees had the ability to access the IRS\nnetwork from outside of IRS facilities. Overall, the IRS has over 47,000 portable laptop\ncomputers assigned to its employees.\nBecause taxpayer data are allowed to be taken outside of IRS facilities, additional security\ncontrols are required, such as:\n    \xe2\x80\xa2    Physically protecting computer devices \xe2\x80\x93 Employees in possession of computer devices\n         must adhere to specific security policies and handling procedures to minimize the chance\n         of loss or theft of the device. For example, when transporting a laptop computer in a\n         vehicle, an employee should store the computer in the vehicle\xe2\x80\x99s trunk or a place that is\n         not visible from outside of the vehicle.\n    \xe2\x80\xa2    Encrypting3 taxpayer data on computer devices \xe2\x80\x93 Even if a computer device is lost or\n         stolen, the data can be protected if the data are encrypted. Encryption ensures no one\n         other than the authorized user can access and view the data maintained on the computer\n         device.\n    \xe2\x80\xa2    Using software controls to limit access to computers \xe2\x80\x93 If a computer is lost or stolen, the\n         data can still be protected to some degree by requiring the user to enter a valid username\n         and corresponding password soon after starting up the computer. This control can\n         sometimes be bypassed if the computer is not properly configured.\n    \xe2\x80\xa2    Reporting incidents \xe2\x80\x93 Any employee who loses a computer must follow specific reporting\n         instructions to ensure the proper authorities are notified. Actions should then be taken to\n         disable user accounts and to look for clues, in case an attempt is made to use the\n         computer to access the IRS network.\nIn addition, data that are backed up and stored offsite so operations can be restored in the event\nof a disaster may also be at risk.4 If the backup location is not within the organization\xe2\x80\x99s control\n(e.g., a contractor\xe2\x80\x99s site), security policies and procedures must be implemented to ensure the\ndata are protected from unauthorized access and fully accounted for.\n\n\n\n3\n  Encryption is a method to convert readable text (i.e., plaintext) to unreadable text (i.e., ciphertext) by applying\nmathematical algorithms and one or more encryption keys. This is generally performed to protect the\nconfidentiality, integrity, and authenticity of data during storage or transmission.\n4\n  In the event of a disaster, it is possible that all data maintained at a facility where the disaster occurred could be\ndestroyed. For example, a building fire might destroy all data stored at the facility. An organization can reduce this\nrisk by maintaining backup data at a different facility.\n                                                                                                                Page 2\n\x0c                     The Internal Revenue Service Is Not Adequately Protecting\n                      Taxpayer Data on Laptop Computers and Other Portable\n                                     Electronic Media Devices\n\n\n\nThis review was part of our Fiscal Year 2006 Annual Audit Plan and was based on our findings\nfrom previous years of noncompliance in safeguarding taxpayers\xe2\x80\x99 data.5 We recognized the\nenormous risk of having taxpayer data outside of IRS offices and the importance of establishing\npolicies and procedures, implementing security solutions to protect taxpayer data, educating\nemployees on protecting taxpayer data, and following up to ensure security solutions are working\nas intended. As such, we had initiated this review prior to the Department of Veterans Affairs\ntheft incident. During our review, the Office of Management and Budget 6 issued several\nmemoranda to Federal Government agencies on the topic of safeguarding personally identifiable\ninformation. Appendix V provides a brief explanation of these Office of Management and\nBudget memoranda.\nThis review was performed at the Area Offices in New Carrollton, Maryland;\nLaguna Niguel, California; Atlanta, Georgia; Cincinnati, Ohio; and Salt Lake City, Utah; the\nCampuses7 in Fresno, California; Atlanta, Georgia; Covington, Kentucky; and Ogden, Utah; and\n4 non-IRS offsite facilities located fewer than 40 miles from the 4 Area Offices (excluding the\nArea Office in New Carrollton, Maryland) during the period April through December 2006. The\naudit was conducted in accordance with Government Auditing Standards. Detailed information\non our audit objectives, scope, and methodology is presented in Appendix I. Major contributors\nto the report are listed in Appendix II.\n\n\n\n\n5\n  Secure Configurations Are Initially Established on Employee Computers, but Enhancements Could Ensure\nSecurity Is Strengthened After Implementation (Reference Number 2006-20-031, dated February 2006) and\nSecurity Over Computers Used in Telecommuting Needs to Be Strengthened (Reference Number 2003-20-118, dated\nJuly 2003).\n6\n  The Office of Management and Budget ensures Federal Government agencies\xe2\x80\x99 reports, rules, testimony, and\nproposed legislation are consistent with the President\xe2\x80\x99s budget and with administration policies. The Office of\nManagement and Budget\xe2\x80\x99s role is to help improve administrative management, to develop better performance\nmeasures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.\n7\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                         Page 3\n\x0c                      The Internal Revenue Service Is Not Adequately Protecting\n                       Taxpayer Data on Laptop Computers and Other Portable\n                                      Electronic Media Devices\n\n\n\n\n                                     Results of Review\n\nEmployees Reported the Loss or Theft of at Least 490 Computers and\nOther Sensitive Data in 387 Incidents From January 2003 to June 2006\nOn June 15, 2006, we requested that the IRS provide us information on all incidents relating to\nthe loss or theft of computer devices since April 2005. To fulfill our request, the IRS researched\nits own records from the IRS Computer Security Incident Response Center (CSIRC)8 and\nvalidated its information with the Treasury Inspector General for Tax Administration (TIGTA)\nOffice of Investigations, the law enforcement organization for internal IRS affairs. On\nJuly 10, 2006, the Chairman of the House Committee on Government Reform sent a letter to the\nSecretary, Department of the Treasury, requesting information on all incidents since\nJanuary 1, 2003, involving the loss or compromise of any sensitive personal information held by\nthe Department of the Treasury. As a result of our request and the House Committee on\nGovernment Reform letter, the IRS compiled a list of 387 incidents, including the loss or theft of\nat least 490 computers9 from January 2, 2003, to June 13, 2006.\nIRS procedures require that, when computers are lost or stolen, employees must report the\nincident to the TIGTA Office of Investigations for further investigation and possible recovery\nefforts. In addition, employees must report the incident to the CSIRC for tracking actions, such\nas determining if anyone has attempted to use the computers to access the IRS network and\nfollow-on actions such as canceling remote access accounts.\nPrior to our June 2006 request for information on all incidents\n                                                                              Employees did not properly\nrelating to the loss or theft of computer devices and/or\n                                                                                 report 76 percent of all\npersonally identifiable information, the CSIRC was made                        incidents of lost or stolen\naware of only 91 (24 percent) of the 387 incidents. Of the                    computers and/or sensitive\n91 incidents reported to the CSIRC, 42 were also reported to                     data to the IRS CSIRC.\nthe TIGTA Office of Investigations and 49 were not. The\n\n\n8\n  The CSIRC provides assistance and guidance in incident response and provides a centralized approach to incident\nhandling across the IRS enterprise.\n9\n  The 387 incidents included those for which the IRS was unable to determine the exact number of stolen or lost\ncomputers because that information was not captured in its database of incidents. Consequently, the number of lost\nor stolen computers for these incidents was counted as \xe2\x80\x9c1+.\xe2\x80\x9d On November 15, 2006, radio station WTOP reported\n478 IRS laptop computers were lost or stolen between 2002 and 2006. The radio station had obtained the\ninformation from the IRS through the Freedom of Information Act (5 U.S.C.A Section 552 (West Supp. 2003)). We\nattribute the difference in our results to the nature of information that can be released under the Freedom of\nInformation Act and to different time periods covered by our audit and the station WTOP request.\n                                                                                                          Page 4\n\x0c                  The Internal Revenue Service Is Not Adequately Protecting\n                   Taxpayer Data on Laptop Computers and Other Portable\n                                  Electronic Media Devices\n\n\n\nTIGTA Office of Investigations was aware of 296 (76 percent) of the 387 incidents, none of\nwhich had been reported to the CSIRC.\nWhen computer equipment is lost or stolen, the primary concern is the data contained on the\ncomputer. In conjunction with the CSIRC, we evaluated all 387 incidents to determine how\nmany involved the loss or compromise of personally\nidentifiable information and to identify the impact to\ntaxpayers.                                                 We were unable to determine\n                                                            the full impact to the taxpayers\nWe determined it was unlikely that 176 (45 percent) of          for many of the incidents\nthe 387 incidents involved taxpayer data. For the             involving the loss or theft of\n                                                              computer equipment and/or\nremaining 211 incidents, we analyzed the incident                     taxpayer data.\nwriteups as of June 2006 and found 126 contained\nsufficient details to show that personal information for at\nleast 2,359 individuals was involved with the incidents. We were unable to identify the nature of\nthe data loss and the identities of taxpayers whose information may have been lost for the other\n85 of 211 incidents due to lack of details in the incident writeups.\nWe believe IRS employees who reported incidents to the TIGTA Office of Investigations did not\nextend the reporting process to their own internal computer security organization. We surmised\nthat employees were mainly concerned with the reporting of the incidents to law enforcement\nauthorities and the investigation and recovery of the lost or stolen computer equipment.\nManagers of these employees and information technology support functions, who were involved\nwith replacing computer equipment for the employees, did not ensure the CSIRC was notified of\nthe incidents.\nPrior to the Department of Veterans Affairs incident in May 2006, the CSIRC had not placed\nsufficient emphasis on identifying actual taxpayers potentially affected by lost or stolen\ncomputers. The TIGTA Office of Investigations did investigate many of these incidents, but its\napproach was from a criminal focus (e.g., identifying the perpetrator, recovering the stolen\nequipment). In addition, coordination between the CSIRC and the TIGTA Office of\nInvestigations was inadequate to identify the full scope of the losses.\nOn July 7, 2006, the Chief, Mission Assurance and Security Services, issued a memorandum\nregarding Updated Guidance for IRS Computer Security Incident Reporting to all IRS heads of\noffice. This memorandum reemphasized reporting requirements and stated that all computer\nsecurity incidents shall be reported to the CSIRC and to front-line managers. In addition, any\nincident involving physical loss of equipment that could result in unauthorized access to IRS\nsystems or information must also be reported to the TIGTA Office of Investigations. Prior to\nissuance of this memorandum, the IRS Commissioner had issued an email to all IRS managers,\nreminding them to safeguard personally identifiable information and to immediately report any\nsecurity incidents to the CSIRC. The email message also stated that, for cyber-security incidents\ninvolving access to or disclosure of taxpayer data or possible incidents of identity theft,\n\n                                                                                           Page 5\n\x0c                       The Internal Revenue Service Is Not Adequately Protecting\n                        Taxpayer Data on Laptop Computers and Other Portable\n                                       Electronic Media Devices\n\n\n\nmanagers should work with the CSIRC to promptly notify the TIGTA Office of Investigations.\nAs a final measure to ensure total coordination, the IRS is in the process of entering into an\nagreement with the TIGTA Office of Investigations to share all incidents relating to the loss or\ntheft of information technology assets.\nThe above corrective actions taken by the IRS during our audit should sufficiently address the\ncauses of the lack of full reporting by employees. However, on July 19, 2006, the Chairman of\nthe House Committee on Government Reform introduced legislation to require Federal\nGovernment agencies to make public notifications in the event of data breaches involving\nsensitive information. The legislation, which would amend the Federal Information Security\nManagement Act,10 directs the Office of Management and Budget to establish policies,\nprocedures, and standards for agencies to follow if sensitive personal information is lost or\nstolen. In anticipation of this legislation, we are making the following recommendations.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should:\nRecommendation 1: Refine CSIRC reporting and handling procedures to ensure sufficient\ndetails are gathered and recorded in the incident writeups regarding taxpayers potentially\naffected by a loss and the nature of the lost data.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Mission\n         Assurance and Security Services organization has refined the incident handling and\n         reporting procedures to ensure sufficient details are gathered and recorded regarding\n         taxpayers potentially affected by the loss and the nature of the lost data. These\n         refinements include the creation of a Personally Identifiable Information Incidence\n         Working Group, which has developed an incident management policy; a personally\n         identifiable information analysis template; and a risk analysis framework. These efforts\n         have resulted in modification to the CSIRC intake process and a handoff of appropriate\n         incidents to the core response group for disposition.\nRecommendation 2: Coordinate with the business units that have reported lost or stolen\ncomputer devices since 2003 and quantify the impact to taxpayers in terms of how many\ntaxpayers were affected by the incidents and what personally identifiable information was lost.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Between July\n         and September 2006, the Mission Assurance and Security Services organization launched\n         two efforts to refine CSIRC reporting and handling procedures. First, for each of the\n\n10\n  This Act is part of the E Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002). The\nFederal Information Security Management Act includes protecting information and information systems from\nunauthorized access, use, disclosure, or modification, including controls for disclosure and confidentiality to protect\npersonal privacy.\n                                                                                                               Page 6\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\n       business units that have reported lost or stolen computer devices since 2003, the Mission\n       Assurance and Security Services organization has requested a quantification of the\n       impact to taxpayers and a determination of the lost data. In addition, the CSIRC made\n       modifications to reporting and handling procedures to capture details regarding the types\n       of data elements, the encryption status of each affected asset, and the number of\n       potentially affected individuals.\n       Second, the Office of Privacy and Information Protection established a cross-functional\n       working group to ensure the appropriate focus on details involving the data and\n       encryption status of each incident. At the same time, the group ensured the reporting and\n       handling of incidents do not violate privacy requirements. The membership of the\n       working group included subject-matter experts from across the IRS (e.g., the Office of\n       Disclosure, the Office of Chief Counsel, the Office of Labor Relations, the CSIRC, and\n       the Office of Privacy and Information Protection).\n\nPhysical Security Was Not Adequate Over Computer Equipment\nNo organization is impervious to theft or loss of computers, especially an organization as large as\nthe IRS with approximately 100,000 employees and over 47,000 laptop computers assigned to its\nemployees. To minimize the risk of theft or loss of computer equipment, the IRS has established\nbasic computer security procedures for its employees. For example, employees are responsible\nfor ensuring security over their laptop computers when not in their possession by storing them in\na locked container or physically securing them to immovable furniture with a cable lock when\nnot in use. When in transit, on business trips, or commuting to the workplace, employees shall\nsecure the laptop computer in a vehicle trunk. When traveling by plane, bus, or train, employees\nshall retain possession of the laptop computer under the seat in front of the employee rather than\nin an overhead bin. Employees shall not check laptop computers with luggage at airports, leave\nlaptop computers unattended in public places, leave laptop computers in plain view when leaving\nthe hotel room, or leave laptop computers at home where sensitive information can be easily\nseen.\nDespite these security requirements, since 2003 the IRS has been averaging nine incidents per\nmonth relating to the theft or loss of computer equipment and/or taxpayer data. Many incidents\ncannot be prevented; however, because most losses of computer devices and data occur outside\nof IRS facilities, employees must be particularly cognizant of the risks. The total number of\nincidents has increased each year, as illustrated in Figure 1.\n\n\n\n\n                                                                                            Page 7\n\x0c                         The Internal Revenue Service Is Not Adequately Protecting\n                          Taxpayer Data on Laptop Computers and Other Portable\n                                         Electronic Media Devices\n\n\n\n                  Figure 1: Number of Incidents of Theft or Loss of Computer\n                        Equipment and/or Taxpayer Data (2003 \xe2\x80\x93 2006)\n\n\n                       200\n\n                       150\n\n                       100                                      162\n                                                     134                             Number of Incidents\n                                            96\n                        50       76\n\n                         0\n                              2003       2004      2005       2006\n                                                           (projected)\n\n\n                     Source: TIGTA analysis and projection based on CSIRC and\n                     TIGTA Office of Investigations data.\n\nThe projected volume of incidents for 2006 was based on doubling the known volume of\n81 incidents from January to June 2006. We believe the recent attention to and current\nreemphasis on employee responsibility over safeguarding computer equipment and taxpayer data\nshould raise the level of employee awareness, thus reducing the number of preventable incidents.\nHowever, understanding the nature and circumstances of the 387 reported incidents may provide\ninsight into how to prevent future losses from occurring. We categorized the 387 incidents by\nitem type, as shown in Figure 2.\n                  Figure 2: Number of Incidents of Theft or Loss of Computer\n                  Equipment and/or Taxpayer Data Categorized by Item Type\n                                Item Type            Number of        Actual Number of\n                                                     Incidents11             Items\n                      Laptop Computers                   345                   477\n                      Desktop Computers                  10                     13\n                      Peripherals                        30                     36\n                      ID Badges or Commissions           26                     26\n                      Hardcopy Documents                 22                    171\n                      Tapes or Portable Drives            10                    11\n                      Blackberrys or Cell Phones          6                     6\n                      Other or Unknown Items              8                    69\n                     Source: TIGTA analysis of CSIRC and TIGTA Office of Investigations data.\n\nAs Figure 2 illustrates, laptop computers overwhelmingly represent the largest category of lost or\nstolen items. Because of the portability and monetary value of laptop computers, they tend to be\n\n11\n     Some incidents involved multiple types of items. Therefore, the number of incidents does not total 387 incidents.\n                                                                                                              Page 8\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\nan attractive target for thieves. The lack of physical security provided to these and other\ncomputer devices increased the risk that taxpayer data could be lost or stolen and used for\nfraudulent purposes. For further perspective, we segregated the incidents by the location where\nthe theft or loss occurred, as presented in Figure 3.\n                               Figure 3: Location of Theft or Loss\n                                                      Number of     Percentage (Based\n          Location of Theft/Loss                      Incidents      on 387 incidents)\n          IRS Facility                                   111                29%\n          Vehicle                                         89                23%\n          Volunteer Income Tax Assistance Site           53                 14%\n          Residence                                       35                 9%\n          Hotel                                          11                  3%\n          Airport                                         7                  2%\n          Travel Status (specific location not known)      4                 1%\n          Public Transportation (planes, trains, buses)    4                 1%\n          Taxpayer Site                                    4                 1%\n          Freight Company                                  4                 1%\n          Unspecified/Unknown Location                    65                17%\n         Source: TIGTA analysis of CSIRC and TIGTA Office of Investigation data.\n\nFigure 3 illustrates areas where the IRS can focus attention when providing additional guidance\nand assistance to its employees. For example, because 111 incidents occurred within IRS\nfacilities, employees were likely not storing their laptop computers in lockable cabinets while the\nemployees were away from the office. Further, because a large number of laptop computers\nwere stolen from vehicles and employees\xe2\x80\x99 residences, employees may not have secured their\nlaptop computers in the trunks of their vehicles or locked their laptop computers at home.\nSufficient documentation was not available to evaluate the circumstances surrounding most of\nthe 387 incidents. However, we determined that at least 24 of the incidents could have been\nprevented if employees had followed IRS policies and procedures.\n   \xe2\x80\xa2   Fourteen incidents involved employees storing the laptop computers in unlocked vehicles\n       or in the front seat or back seat of their vehicles, with the computers being visible through\n       the windows, or employees forgetting to place computers into their vehicles.\n   \xe2\x80\xa2   Seven incidents involved employees leaving computers on buses and trains and at\n       airports.\n   \xe2\x80\xa2   Three incidents occurred because employees checked their computers at an airport.\nThe 24 incidents involved personally identifiable information for 480 individuals. The loss of\nthese records, which consisted of taxpayer and employee information, also could have been\nprevented had the incidents not occurred.\n\n                                                                                             Page 9\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\nWe obtained information on whether disciplinary actions were taken against the responsible\nemployees for 18 of the 24 incidents and found that only 1 employee involved in the 18 incidents\nwas disciplined. The IRS\xe2\x80\x99 own guide for penalty determinations indicates the loss of Federal\nGovernment property may result in discipline ranging from a written reprimand to a 14-day\nsuspension for a first offense. We believe disciplining employees for security violations\nresulting from negligence or carelessness could deter others from neglecting their responsibilities\nfor protecting Federal Government property.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should:\nRecommendation 3: Provide employees periodic reminders of their responsibilities for\nprotecting computer devices, which, at a minimum, should include storing laptop computers in\nlocking cabinets in the office, storing laptop computers in the trunks of vehicles, and securing\nlaptop computers at home or alternate work locations.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It has\n       established a strategic communications team to lead an integrated effort reminding\n       employees of their responsibilities regarding the protection of personally identifiable\n       information and assets, including proper storage of laptop computers.\n       Between June 2006 and December 2006, the strategic communications team issued\n       several targeted messages to all IRS employees. Employees have also received periodic\n       reminders of their responsibilities for protecting computing devices. In addition, this\n       topic was included on the Information Protection Mandatory Awareness briefing in 2006.\n       This important message will remain a focal point for the strategic communications team\n       and is a standard part of ongoing communications activities.\nRecommendation 4: Consider purchasing computer cable locks for employees to provide an\nadditional layer of security at their residence, hotel, or taxpayer site. Instructions should be\nprovided on how to use the locks and the best method to secure the laptop computer to an\nimmobile or heavy object.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It purchased\n       combination cable locks for all laptop computers on August 31, 2006, and is distributing\n       the locks to all laptop computer users. In addition, the IRS has established instructions to\n       employees on how to use the lock and issued an interim policy to clarify the use of\n       computer cable locks for employees.\nRecommendation 5: Periodically publicize an explanation of employees\xe2\x80\x99 responsibilities for\npreventing the loss of computer equipment and taxpayer data, the associated disciplinary\npenalties for negligence over these responsibilities, and a statistical summary of actual violations\nand disciplinary actions relating to loss of computer equipment and taxpayer data.\n\n                                                                                            Page 10\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with the intent of this recommendation\n       but proposed an alternative corrective action. As a part of the mandatory annual\n       information protection training, the Mission Assurance and Security Services\n       organization will explain employees\xe2\x80\x99 responsibilities for preventing the loss of computer\n       equipment and taxpayer data and the associated disciplinary penalties for negligence over\n       these responsibilities. Publicizing statistical summaries presents privacy and labor\n       relations issues for the IRS; therefore, it will implement a communications plan that\n       includes issuing regular announcements highlighting the disciplinary penalties, to remind\n       employees to be vigilant in protecting personally identifiable information and agency\n       equipment.\n       Office of Audit Comment: We acknowledge that publicizing statistical summaries of\n       actual violations and disciplinary actions relating to loss of computer equipment and\n       taxpayer data could reveal the identity of those employees involved, particularly if the\n       numbers are very low, and possibly violate privacy requirements. Therefore, we concur\n       with the alternative corrective action for this recommendation and encourage the IRS to\n       consider publishing annual statistics on disciplinary penalties, which should hide the\n       identities of employees affected and illustrate the consequences of noncompliance to\n       security policies and procedures.\n\nSensitive Data Were Not Encrypted on Laptop Computers and Other\nElectronic Media\nOn June 8, 2006, the Chief, Mission Assurance and Security Services, testified before the House\nCommittee on Government Reform about the security of taxpayer data on computers used by the\nIRS. He stated all IRS computers have tools that allow users to encrypt taxpayer data, personally\nidentifiable information, and sensitive information.\nThe IRS does require all sensitive data on laptop computers to be encrypted. As part of this\nrequirement, the IRS has established two encryption solutions available to employees. First,\nlaptop computers are configured to encrypt data residing in specific file folders on the internal\nhard drive. This encryption solution is part of the computer\xe2\x80\x99s operating system. Employees\nneed only to save sensitive files to these file folders and the computer will automatically encrypt\nthe files. Second, the IRS can provide employees with a separate encryption program to encrypt\nfiles. This solution is particularly effective when encrypting files not stored on the computer\xe2\x80\x99s\ninternal drive (e.g., files stored on CDs and DVDs).\nTo test the encryption of sensitive data, we selected     Sensitive data, such as taxpayer\n100 laptop computers from 4 IRS Area Offices                and employee data, were not\n                                                          encrypted on 44 of the 100 laptop\nsupporting the Wage and Investment, Small                     computers we reviewed.\nBusiness/Self Employed, and Large and Mid-Size\nBusiness Divisions. We found 44 of the 100 laptop\n\n                                                                                           Page 11\n\x0c                         The Internal Revenue Service Is Not Adequately Protecting\n                          Taxpayer Data on Laptop Computers and Other Portable\n                                         Electronic Media Devices\n\n\n\ncomputers contained unencrypted sensitive data. Of these 44 laptop computers,\n31 held taxpayer data and 17 held employee personnel data (4 held both taxpayer and personnel\ndata). The following are examples of the unencrypted sensitive data:\n       \xe2\x80\xa2   U.S. Individual Income Tax Return (Form 1040).12\n       \xe2\x80\xa2   U.S. Corporation Income Tax Return (Form 1120).13\n       \xe2\x80\xa2   Audit-related information, such as case history on current audits and financial data of\n           taxpayers being audited.\n       \xe2\x80\xa2   Various IRS forms with Social Security Numbers.\n       \xe2\x80\xa2   Employee evaluations, timesheets, and applications for reassignment.\nWe believe it is very likely a large number of the lost or stolen computers presented in the\nprevious findings contained similar unencrypted data. The IRS had defined directories on the\nhard drives where sensitive data should have been stored and encrypted. We found, however,\nthat employees frequently placed sensitive data outside of those directories, either because the\nemployees were not aware of the security requirements or for their own convenience. In\naddition, we found employees did not know that their own personal data were considered\nsensitive.\nIn addition to the unencrypted sensitive data on laptop computers, we found other computer\ndevices on which sensitive data were not always encrypted, contrary to IRS procedures. Of the\n100 employees in our sample, 20 had small portable flash drives. Fifteen employees informed us\nthat the IRS had purchased flash drives for them, while five employees had purchased their own\nflash drives although the IRS prohibits the use of privately owned portable electronic devices to\nprocess, store, or transmit sensitive IRS information.\n       \xe2\x80\xa2   For the 15 employees in possession of IRS-purchased flash drives, we found employees\n           either stored sensitive unencrypted data on the flash drives, used an IRS-approved\n           encryption solution, did not store sensitive data, or did not have the opportunity to use the\n           flash drives.\n       \xe2\x80\xa2   For the five employees in possession of self-purchased flash drives, we found employees\n           either stored sensitive unencrypted data, had a system administrator install an encryption\n           program on the flash drive, or did not store sensitive data on the devices.\nIn addition, 54 of the 100 employees were using various other computer media (e.g., floppy\ndisks, DVDs, and CDs) to store taxpayer data without encryption. For example, employees were\n\n\n\n12\n     Form 1040 is the IRS form used by individuals to report and file Federal income taxes.\n13\n     Form 1120 is the IRS form used by corporations to report and file Federal income taxes.\n                                                                                                Page 12\n\x0c                    The Internal Revenue Service Is Not Adequately Protecting\n                     Taxpayer Data on Laptop Computers and Other Portable\n                                    Electronic Media Devices\n\n\n\nusing unencrypted CDs to back up taxpayer case information, to store grand jury information,\nand to retain tax information provided by taxpayers.\nDuring our site visits, various IRS organizations distributed documents regarding the need to\nencrypt taxpayer data. For example, on June 2, 2006, the Commissioner, Small\nBusiness/Self-Employed Division, issued an email to all of his managers and employees\nreminding them of the IRS security policy for storing files that contain taxpayer information or\nother sensitive and private information on laptop computers or other portable media storage\ndevices. The email also discussed the process the managers must follow to ensure all employees\nin their groups understand their responsibilities to protect sensitive data. In addition, several\nemployees informed us they had \xe2\x80\x9ccleaned up\xe2\x80\x9d the files on their computers prior to our visits.\nEven with the issuance of this email and the publicity of our review, we did not see improvement\nfrom our initial site visit to our last site visit.\nMedia storage devices, especially flash drives, have become popular and affordable over the last\nfew years. Their small size and portability increase the likelihood that they could be lost or\nstolen. By not encrypting the data on laptop computers and media devices, the IRS is\nunnecessarily exposing taxpayer data to unauthorized access, theft, or loss.\nIn July 2003, we reported14 that sensitive files were not adequately encrypted on IRS laptop\ncomputers. In that report, we made the following recommendations to the IRS that pertained to\nencrypting sensitive data:\n     \xe2\x80\xa2   Periodically remind telecommuting employees to store and encrypt sensitive information\n         in secure locations on their laptop computers.\n     \xe2\x80\xa2   Develop guidance to assist functional managers in determining whether sensitive data are\n         being stored in unencrypted areas on their employees\xe2\x80\x99 laptop computers.\n     \xe2\x80\xa2   Require front-line managers to periodically check their employees\xe2\x80\x99 laptop computers to\n         ensure sensitive data are being properly stored and encrypted.\nThe IRS only partially agreed with the third recommendation, stating it agreed that employee\ncompliance with encryption steps for safeguarding data on laptop computers is important.\nHowever, the IRS believed that, to ensure enterprise-wide consistency, the review of laptop\ncomputers should be conducted by the IRS security professionals rather than front-line\nmanagers. To ensure enterprise-wide consistency for reviewing this issue, the IRS agreed to\ndevelop sampling criteria, develop review methodology, and conduct followup actions from\nreview results.\nIn an Office of Audit Comment to management\xe2\x80\x99s response to the July 2003 report, we replied\nthat we did not believe merely asking the security professionals to review a sample of laptop\n\n14\n  Security Over Computers Used in Telecommuting Needs to Be Strengthened (Reference Number 2003-20-118,\ndated July 2003).\n                                                                                                  Page 13\n\x0c                  The Internal Revenue Service Is Not Adequately Protecting\n                   Taxpayer Data on Laptop Computers and Other Portable\n                                  Electronic Media Devices\n\n\n\ncomputers would correct the issue. While we recognized the many demands on front-line\nmanagers, periodically reviewing employees\xe2\x80\x99 laptop computers to ensure proper encryption\nshould be considered an integral responsibility for managers and should not be difficult or\ntime consuming.\nThe IRS reported it had completed the corrective action to close the first two recommendations\nand postponed corrective action on the third recommendation until January 2008. However, we\nwere unable to find any supporting documentation for those closed actions, and it appears the\nIRS may not have completed the corrective actions as reported. As a result, these issues persist\ntoday.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 6: Include a reminder in the annual certification of security awareness that\nemployees should store encrypted sensitive information in a secure location on their laptop\ncomputers and show them how to use commercial software approved by the IRS to encrypt\nsensitive data on electronic media devices, such as flash drives.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It has\n       developed and implemented a mandatory Information Protection training module and\n       encryption job aides for all employees to remind them of their responsibilities to secure\n       personally identifiable information and how to use available encryption technologies.\nRecommendation 7: Require front-line managers to periodically check their employees\xe2\x80\x99\nlaptop computers to ensure encryption solutions are being used by employees and sensitive data\nare encrypted properly.\n       Management\xe2\x80\x99s Response: The IRS agreed with the intent of this recommendation\n       but proposed an alternative corrective action. The IRS mandated the implementation of\n       disk encryption, which encrypts all contents on the entire hard drive of the computer, for\n       all laptop computers and will issue a policy requiring all employees to annually certify\n       they are using encryption tools properly to protect sensitive data.\n       Office of Audit Comment: Because the implementation of disk encryption no longer\n       requires employee actions to encrypt sensitive data, we concur with the alternative\n       corrective action to this recommendation.\nRecommendation 8: Consider implementing a systemic disk encryption solution on laptop\ncomputers. When the entire hard drive is encrypted, employees will no longer have to determine\nwhat data need to be encrypted. This solution will supplement the two existing encryption\nsolutions previously discussed.\n\n\n                                                                                          Page 14\n\x0c                      The Internal Revenue Service Is Not Adequately Protecting\n                       Taxpayer Data on Laptop Computers and Other Portable\n                                      Electronic Media Devices\n\n\n\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It has\n         implemented an enterprise-wide disk encryption initiative and mandated that the systemic\n         disk encryption solution be installed on all laptop computers. This solution encrypts the\n         entire hard drive and requires access authentication whenever a laptop has been turned\n         off. If a laptop computer is lost or stolen, unauthorized users will be unable to access any\n         data on the hard drive.\n\nAccess Controls on Laptop Computers Could Be Easily Circumvented\nIn addition to encryption solutions to protect data on its computer devices, the IRS has\nimplemented security controls (generally referred to as authentication controls15) to restrict who\ncan access the computers. All laptop computers are equipped with logon screens once the\ncomputers are turned on. The user must enter an acceptable username and the associated\npassword before the computer allows the user to access its computing resources.\nThe password protection mechanism does not activate until the completion of the computer\xe2\x80\x99s\nstartup process, which is referred to as the boot process. When a user presses the power button\non a computer, the computer automatically initiates the boot process, which causes the computer\nto execute preset instructions located on the hard drive of the computer including the security\nprocesses.\nHowever, a computer\xe2\x80\x99s boot process can be interrupted by pressing one of the function keys16\nimmediately after powering up the computer. After the boot process is interrupted, the computer\nmay request the user to enter the administrator boot process password. If the boot process\npassword is not enabled, the computer will automatically enter into the boot process settings,\nwhere the user can make changes to the boot process like activating or disabling special controls.\nFor the 44 laptop computers that contained unencrypted sensitive data from the previous finding,\nwe found that 15 computers contained a security weakness in the boot process.\n     \xe2\x80\xa2   Three of the 44 laptop computers were configured to boot from a location other than the\n         hard drive. IRS procedures require that all computers boot only from the internal\n         hard drive. When a computer is allowed to boot from the removable media drive\n         (e.g., CD drive), an employee, as well as any hacker, can insert a CD into the computer\n         and the computer will automatically initiate its boot process from that disk. If the CD\n         contains its own operating system, the computer will bypass all security controls\n         established on the computer\xe2\x80\x99s operating system, including the password access control.\n\n\n\n15\n   Authentication controls are used to verify the identity of the user accessing a computer or computer network and\ngenerally involve the use of passwords. The computer or computer system would require the input of a valid\nusername and corresponding passwords to proceed with accessing the computer or computer system.\n16\n   Each computer manufacturer designates a different function key to interrupt the boot process.\n                                                                                                           Page 15\n\x0c                    The Internal Revenue Service Is Not Adequately Protecting\n                     Taxpayer Data on Laptop Computers and Other Portable\n                                    Electronic Media Devices\n\n\n\n     \xe2\x80\xa2   Six of the 44 laptop computers did not have the password enabled to protect the\n         computers\xe2\x80\x99 boot process. IRS procedures require that all computers have this password\n         enabled so only authorized personnel, usually system administrators, can make changes\n         to the boot processes. When no password is enabled to protect the boot order, anyone can\n         interrupt the computer\xe2\x80\x99s normal boot sequence, access the boot settings, and change the\n         boot order sequence so the computer will boot from the disk drive as opposed to the\n         computer\xe2\x80\x99s hard drive.\n     \xe2\x80\xa2   An additional 6 of the 44 laptop computers were configured to boot from a location other\n         than the hard drive and did not have the password enabled to protect the computers\xe2\x80\x99\n         startup process.\nWe also identified one other significant computer security violation on one of the computers we\nreviewed. An employee wrote user account names and passwords to the computer and various\nsystems to which the employee has access on a piece of paper that was taped to the laptop\ncomputer. The IRS requires employees to safeguard passwords and keep them hidden. If this\ncomputer was lost or stolen, the perpetrator would have access to the computer\xe2\x80\x99s contents as well\nas the systems listed on the piece of paper.\nEach of these weaknesses could allow unauthorized persons to bypass security controls,\nincluding passwords, to gain access to the data on the computers, particularly considering the\nlack of physical security and encryption controls we previously discussed. We believe system\nadministrators either incorrectly set up the computers upon deployment or did not correctly reset\nthe boot order settings after working on the computers. System administrators are the only\nindividuals who should have knowledge of the boot process password.\nWe have previously reported findings about weak security settings.17 In July 2003 and\nFebruary 2006, we conducted a similar test to determine if laptop computers were properly\nconfigured to protect the computers\xe2\x80\x99 boot process. The test results revealed that computer\nstartup processes were incorrectly set, similar to what we found in this review. Each report had a\nrecommendation to address this problem.\n     \xe2\x80\xa2   In the February 2006 report, we recommended the IRS hold system administrators\n         accountable for ensuring the boot process password is enabled and the boot order lists\n         only the hard drive as the boot initiation process. The IRS responded that there was no\n         way for it to hold system administrators accountable because of the lack of workstation\n         audit trails. However, the Chief Information Officer would issue a memorandum to all\n\n\n\n17\n  Secure Configurations Are Initially Established on Employee Computers, but Enhancements Could Ensure\nSecurity Is Strengthened After Implementation (Reference Number 2006-20-031, dated February 2006) and\nSecurity Over Computers Used in Telecommuting Needs to Be Strengthened (Reference Number 2003-20-118, dated\nJuly 2003).\n                                                                                                  Page 16\n\x0c                      The Internal Revenue Service Is Not Adequately Protecting\n                       Taxpayer Data on Laptop Computers and Other Portable\n                                      Electronic Media Devices\n\n\n\n         workstation administrators containing the expectations that the boot process is enabled\n         and that the boot order lists only the hard drive as the boot initiation process.\n     \xe2\x80\xa2   In the July 2003 report, we recommended the IRS remind system administrators to reset\n         security settings after servicing laptop computers.\nWe obtained a memorandum issued on March 20, 2006, by the Chief Information Officer that\naddressed the February 2006 recommendation. The IRS reported it had completed the corrective\nactions to close both recommendations. However, we were unable to find any supporting\ndocumentation for closing the July 2003 recommendation, even though it was reported as\ncompleted. Regardless, actions taken to resolve this issue have not been effective.\n\nRecommendation\nThe Chief Information Officer should:\nRecommendation 9: Require system administrators, when servicing a laptop computer, to\ncheck the boot process settings to ensure the boot process password is enabled and the boot order\nlists only the hard drive as the boot initiation process. System administrators should document\ncompletion of this task.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief\n         Information Officer will issue a memorandum that requires all workstation\n         administrators, when servicing a laptop computer, to document the correct boot process\n         settings via an Enterprise Workstation Check List. With the addition of enterprise-wide\n         disk encryption, the boot initiation process is relegated to the hard drive by individuals\n         who possess a disk encryption access profile resident on the workstation.\n\nBackup Data Were Not Encrypted and Adequately Protected\nIn the event of a disaster such as a fire, it is possible that all data maintained at a facility could be\ndestroyed. The IRS reduces this risk by maintaining backup data at offsite facilities. Because\nIRS backup data are often sensitive, controls must be in place to protect against unauthorized\naccess, theft, or loss. In addition, the IRS often uses vendors to store backup media, which may\nincrease the risk of unauthorized access.\nThe National Institute of Standards and Technology recommends that organizations encrypt\nbackup information.18 At the opening conference for this review, IRS officials informed us the\nIRS does not encrypt backup media that are sent to offsite facilities. The IRS policy handbook\n\n18\n  National Institute of Standards and Technology Special Publication 800-53A, Guide for Assessing the Security\nControls in Federal Information Systems. The National Institute of Standards and Technology, under the\nDepartment of Commerce, is responsible for developing standards and guidelines for providing adequate\ninformation security for all Federal Government agency operations and assets.\n                                                                                                        Page 17\n\x0c\x0c\x0c               The Internal Revenue Service Is Not Adequately Protecting\n                Taxpayer Data on Laptop Computers and Other Portable\n                               Electronic Media Devices\n\n\n\n\xe2\x80\xa2   Conduct an annual internal physical security review of the non-IRS offsite facility to\n    determine that the site meets IRS requirements.\n    Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief\n    Information Officer will review and update the procedure to ensure oversight\n    responsibilities are clearly defined for the annual inventory validation of backup media,\n    for periodic checks of facilities\xe2\x80\x99 access lists, and for annual physical security reviews.\n\n\n\n\n                                                                                        Page 20\n\x0c                       The Internal Revenue Service Is Not Adequately Protecting\n                        Taxpayer Data on Laptop Computers and Other Portable\n                                       Electronic Media Devices\n\n\n\n                                                                                                    Appendix I\n\n         Detailed Objectives, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately protecting\nsensitive data on laptop computers and portable electronic media devices. The audit focused on\nthe security of laptop computers and the encryption1 of sensitive data maintained on laptop\ncomputers. We also evaluated the storage methods for backup tapes at non-IRS offsite facilities.\nTo accomplish our objectives, we:\nI.       Evaluated the security policies and procedures established to protect sensitive data on\n         laptop computers and portable electronic storage media, methods of cleansing sensitive\n         data from electronic media, and storage method for backup tapes at non-IRS offsite\n         facilities.\n         A. Evaluated IRS security policies, procedures, and guidelines related to laptop\n            computers and electronic media.\n         B. Evaluated Federal Government guidance on security policies, procedures, and\n            guidelines related to laptop computers and electronic media.\n         C. Interviewed officials from the Office of the Chief Information Officer regarding IRS\n            security policies, procedures, and guidelines related to laptop computers and\n            electronic media.\nII.      Determined the effectiveness of procedures and controls implemented to protect sensitive\n         data on laptop computers and portable electronic media.\n         A. Analyzed the report of 387 incidents of stolen/lost IRS laptop computers and\n            computer devices or lost personally identifiable information from January 2, 2003, to\n            June 13, 2006, received from the CSIRC2 and the TIGTA Office of Investigations.\n            For each incident, we:\n             1. Identified how the incidents occurred and determined whether the laptop\n                computers contained sensitive information based on the information provided.\n             2. Determined whether the incidents were reported to the CSIRC and to the TIGTA\n                Office of Investigations.\n\n1\n  Encryption is a method to convert readable text (i.e., plaintext) to unreadable text (i.e., ciphertext) by applying\nmathematical algorithms and one or more encryption keys. This is generally performed to protect the\nconfidentiality, integrity, and authenticity of data during storage or transmission.\n2\n  The CSIRC provides assistance and guidance in incident response and provides a centralized approach to incident\nhandling across the IRS enterprise.\n                                                                                                             Page 21\n\x0c                       The Internal Revenue Service Is Not Adequately Protecting\n                        Taxpayer Data on Laptop Computers and Other Portable\n                                       Electronic Media Devices\n\n\n\n         B. Selected a judgmental sample of 100 laptop computers from 4 IRS Area Offices.3\n            Because the IRS maintained over 47,000 laptop computers, we obtained agreement\n            from the Mission Assurance and Security Services4 and the Modernization and\n            Information Technology Services5 organizations on our sample size and site selection.\n            The four sites visited were the Area Offices in Laguna Niguel, California;\n            Atlanta, Georgia; Salt Lake City, Utah; and Cincinnati, Ohio. We used a judgmental\n            sample because we were not projecting the audit results. The first two site visits were\n            announced weeks in advance; the last two site visits were unannounced due to\n            concerns about giving warning to employees prior to our visits. The samples\n            consisted of those employees who used taxpayer data as part of their official duties.\n         C. At the four sites:\n             1. Interviewed the nine system administrators to identify the products used to\n                encrypt sensitive data stored on laptop computers; the process to set encryption on\n                sensitive files; how the security policies are communicated to employees; and the\n                local policy on portable electronic media, with a focus on flash drives.6\n             2. Interviewed the 100 employees assigned to the sample of 100 computers to\n                determine the employees\xe2\x80\x99 awareness and knowledge of the encryption process;\n                how sensitive information was encrypted on the laptop computers; and whether\n                the employees used self-purchased or Federal Government-issued flash drives\n                and, if they did, asked why and what information was stored on the flash drives\n                and whether the flash drives were encrypted.\n             3. Determined whether taxpayer information stored on laptop computers was\n                unencrypted by analyzing the hard drives on the 100 laptop computers.\n             4. Evaluated the controls over the protection of the boot process7 on the sample of\n                the 100 laptop computers.\n\n\n\n\n3\n  Area Offices are located throughout the United States; they serve as the coordination point for and assist the public\nwith tax issues.\n4\n  The Mission Assurance and Security Services organization supports the vital mission of the IRS by assuring the\nsecurity and resilience of critical Agency functions and business processes.\n5\n  The Modernization and Information Technology Services organization is responsible for providing information\ntechnology support and services for the IRS by building and maintaining information systems that will help the IRS\nachieve its mission, objectives, and business vision.\n6\n  A flash drive is an external data storage device that plugs into the computer and emulates a small disk drive. It\nallows data to be easily transferred from one computer to another.\n7\n  The boot process represents the computer\xe2\x80\x99s internal process of starting when powered up. This process involves\nthe execution of preset instructions located on the computer\xe2\x80\x99s hard drive, including startup of security features of the\ncomputer such as password protection.\n                                                                                                              Page 22\n\x0c                     The Internal Revenue Service Is Not Adequately Protecting\n                      Taxpayer Data on Laptop Computers and Other Portable\n                                     Electronic Media Devices\n\n\n\nIII.    Determined the effectiveness of procedures and controls implemented to protect sensitive\n        data on media such as backup media when data are stored at non-IRS offsite facilities.\n        The non-IRS offsite facilities were located fewer than 40 miles from the selected Area\n        Offices.\n        A. Assessed the security and encryption placed on backup media that are to be stored at\n           non-IRS offsite facilities.\n        B. Assessed the security of the method of transportation used to ship backup media to\n           non-IRS offsite storage facilities.\n        C. Assessed the adequacy of the physical security controls where the media were stored.\n        D. Reconciled the list of backup media to assess the accuracy and completeness of the\n           written inventory.\n        E. Validated the list of IRS employees authorized to access the non-IRS offsite storage\n           facilities and view tapes.\nIV.     Determined the effectiveness of actions taken by the IRS to cleanse sensitive data\n        from electronic media that are to be reused or discarded at the Campuses8 in\n        Fresno, California; Atlanta, Georgia; Covington, Kentucky; and Ogden, Utah.\n        A. Assessed the procedures used to process laptop computers for disposal and\n           determined whether these procedures meet IRS guidelines.\n            1. Interviewed responsible staff members and obtained records of actions taken to\n               cleanse sensitive data that might reside on the media before disposal of the\n               equipment, including backup tapes.\n            2. Obtained a list of the various types of equipment that are cleansed and a\n               description of all the cleansing techniques used and when each type is applicable.\n            3. Identified where equipment awaiting disposal is stored and the final destination of\n               the disposed equipment.\n            4. Identified actions taken to remove items from the Information Technology Asset\n               Management Systems, the official IRS computer inventory recordkeeping system.\n        B. Assessed the adherence to disposal procedures and noted any variation or\n           noncompliance. We also verified whether equipment had been cleansed of all\n           readable data.\n\n\n\n8\n Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                       Page 23\n\x0c                  The Internal Revenue Service Is Not Adequately Protecting\n                   Taxpayer Data on Laptop Computers and Other Portable\n                                  Electronic Media Devices\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nJoseph Cooney, Acting Audit Manager\nMidori Ohno, Lead Auditor\nRichard Borst, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nJackie Nguyen, Senior Auditor\n\n\n\n\n                                                                                     Page 24\n\x0c                 The Internal Revenue Service Is Not Adequately Protecting\n                  Taxpayer Data on Laptop Computers and Other Portable\n                                 Electronic Media Devices\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                       Page 25\n\x0c                   The Internal Revenue Service Is Not Adequately Protecting\n                    Taxpayer Data on Laptop Computers and Other Portable\n                                   Electronic Media Devices\n\n\n\n                                                                                 Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 480 individuals affected (see page 7).\n\nMethodology Used to Measure the Reported Benefit:\nOur objective was to determine whether the IRS is adequately protecting sensitive data on laptop\ncomputers. We found that employees reported 387 incidents from January 2, 2003, to\nJune 13, 2006, involving the loss or theft of computer equipment and/or sensitive data. Based on\nthe available information for the 387 incidents, we determined at least 24 of the incidents could\nhave been prevented if employees had followed IRS policies and procedures. The\n24 incidents involved personally identifiable information for 480 individuals. The loss of these\nrecords, which consisted of taxpayer and employee information, also could have been prevented\nhad the incidents not occurred.\nRecommendations 3 through 5 should increase awareness and reinforce employee\nresponsibilities on computer security and should decrease the number of incidents that can be\nprevented by adhering to IRS policies and procedures.\n\n\n\n\n                                                                                          Page 26\n\x0c                      The Internal Revenue Service Is Not Adequately Protecting\n                       Taxpayer Data on Laptop Computers and Other Portable\n                                      Electronic Media Devices\n\n\n\n                                                                                                  Appendix V\n\n       Office of Management and Budget Memoranda\n\nThe Office of Management and Budget1 has issued several memoranda addressing data\nprotection in Federal Government bureaus and agencies.\n\xc2\xbe M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006). This\n  memorandum reemphasizes the responsibilities of Federal Government agencies regarding\n  laws and policies for safeguarding sensitive personally identifiable information. The\n  memorandum also requires agencies to remind employees of their responsibilities within\n  30 calendar days of the issuance of this memorandum.\n\xc2\xbe M-06-16, Protection of Sensitive Agency Information (June 23, 2006). This memorandum\n  recommends that four actions to protect sensitive agency data be taken by all agencies:\n  (1) encrypt all data on mobile devices, (2) allow remote access only with 2 separate\n  mechanisms of authentication, (3) use a 30-minute inactivity timeout function for remote\n  access, and (4) log all computer data extracts from databases and ensure data are erased after\n  90 calendar days unless the data are still needed. The memorandum also provides a checklist\n  for protecting remote information for agencies to complete within 45 calendar days of the\n  issuance of this memorandum.\n\xc2\xbe M-06-19, Reporting Incidents Involving Personally Identifiable Information and\n  Incorporating the Cost for Security in Agency Information Technology Investments\n  (July 12, 2006). This memorandum requires that all incidents involving personally\n  identifiable information be reported to the United States Computer Emergency Readiness\n  Team2 within 1 hour of discovery.\n\xc2\xbe M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management\n  Act3 and Agency Privacy Management (July 17, 2006). This memorandum provides\n  additional instructions and requires additional information for the 2006 Act submission.\n\n\n1\n  The Office of Management and Budget ensures agencies\xe2\x80\x99 reports, rules, testimony, and proposed legislation are\nconsistent with the President\xe2\x80\x99s budget and administration policies. The Office of Management and Budget\xe2\x80\x99s role is\nto help improve administrative management, to develop better performance measures and coordinating mechanisms,\nand to reduce any unnecessary burdens on the public.\n2\n  The United States Computer Emergency Readiness Team is a partnership between the Department of Homeland\nSecurity and the public and private sectors. Established in 2003 to protect the nation\xe2\x80\x99s Internet infrastructure, the\nTeam coordinates defense against and response to cyber attacks across the nation.\n3\n  This Act is part of the E Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002). The Federal\nInformation Security Management Act includes protecting information and systems from unauthorized access, use,\ndisclosure, or modification, including controls for disclosure and confidentiality to protect personal privacy.\n                                                                                                           Page 27\n\x0c     The Internal Revenue Service Is Not Adequately Protecting\n      Taxpayer Data on Laptop Computers and Other Portable\n                     Electronic Media Devices\n\n\n\n                                                    Appendix VI\n\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 28\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 29\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 30\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 31\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 32\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 33\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 34\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 35\n\x0cThe Internal Revenue Service Is Not Adequately Protecting\n Taxpayer Data on Laptop Computers and Other Portable\n                Electronic Media Devices\n\n\n\n\n                                                      Page 36\n\x0c'